Enrolling and using Token2 USB Security keys with ESET Secure Authentication

ESET Secure Authentication (ESA) adds two-factor Authentication (2FA) to Microsoft Active Directory domains or local area networks,
meaning a one-time password (OTP) is generated and provided along with the generally required username and password.
There are two main approaches to OTP: TOTP and HOTP. Event-based OTP (HOTP)—expires when used or when generating a new OTP.
The Token2 security keys can be used as simple HOTP tokens and work in keyboard emulation mode. Once the HOTP secret is recorded on the device, by touching the button/sensor on the key for a couple of seconds, you initiate the OTP generation, which is automatically sent to the host system via USB as if it were entered by a keyboard (hence it is called “emulation). In this guide, we will show the procedures required to enroll and use Token2 security keys to log in to your server protected with ESA via RDP.
HOTP is the only method that will work with ESA for offline login.


Preparing an XML file with HOTP records.

First of all, you need to prepare a XML file with HOTP records in PSKC format (the Portable Symmetric Key Container (PSKC) format is used to transport and provision symmetric keys to cryptographic devices or software).
You can add several HOTP records to one file and import the file at once by adding new to <KeyPackage></KeyPackage> values. Or make separate XML files for every HOTP record.

The SerialNo and Key Id values are used to identify the intended hardware, and theoretically, you can use any value, but be sure it is different for every HOTP record.
To make it easier to identify the desired device in the list of hard tokens, you can give a friendly name instead of serial number.
Depending on the model , there are two different tools to create the HOTP profile in the Token2 USB Security keys: T2 HOTP tool and Companion app.
After creating a HOTP profile, we need to add the newly generated secret key between <PlainValue> and </PlainValue>.
Please note that the secret key (seed) should be in base32 format only. If you need to convert a hex seed to base32 format, you can use our hosted TOTP Toolset.

Create a HOTP profile with Companion

1) Open the Companion app.
2) Insert the Token Security key. The app will identify the inserted device.

3)Go to Manage/HOTP. Click set HOTP secret.

4) Generate a random Secret key and copy this seed to the XML file.

Enable and Import Hard Tokens

1. In the ESA Web Console, click Hard Tokens.
2. Select the Enabled checkbox if it has not been selected by default.
3. Click the "Import Hard Tokens button".
4. Select the XML file.
5. Click the "Import tokens" button.
6. A result notification will pop up indicating how many hard tokens were imported, and the imported hard tokens will be displayed.

Assign Hard Token to a user

1. In the ESA Web Console, click Users.
2. Click the name of the appropriate user.
3. Click the toggle next to Hard Token and select a hard token from the list.
4. Click Save.

Delete Hard Tokens

1. In the ESA Web Console, click Hard Tokens.
2. Select the appropriate tokens and click Delete.

Logging in using a Token2 Security key

1. In the ESA Web Console, click Components.
2. Select RDP, and on the right panel, enable 2FA option.

3. Use Remote Desktop Connection to connect to your server with an enrolled user. After entering you login and password, you will be prompted to enter OTP.
Plug in your Token2 Security key and click the button on it. The device will generate an OTP, which is automatically sent to ESA, and you will be able to successfully login.